executor, sys/linux, pkg: enable syz_kvm_setup_cpu for riscv64

6eanut · 6eanut · commit 2fa2bb8de0e6 · 2026-01-10T09:52:48.000+08:00
diff --git a/executor/common_kvm_riscv64.h b/executor/common_kvm_riscv64.h
@@ -0,0 +1,158 @@
+// Copyright 2026 syzkaller project authors. All rights reserved.
+// Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.
+
+#ifndef EXECUTOR_COMMON_KVM_RISCV64_H
+#define EXECUTOR_COMMON_KVM_RISCV64_H
+
+// This file is shared between executor and csource package.
+
+// Implementation of syz_kvm_setup_cpu pseudo-syscall.
+
+#include <stdint.h>
+#include <string.h>
+#include <sys/ioctl.h>
+
+struct kvm_text {
+	uintptr_t type;
+	const void* text;
+	uintptr_t size;
+};
+
+// RISC-V register ID construction macros
+#define RISCV_CORE_REG(idx) (KVM_REG_RISCV | KVM_REG_SIZE_U64 | KVM_REG_RISCV_CORE | (idx))
+#define RISCV_CSR_REG(idx) (KVM_REG_RISCV | KVM_REG_SIZE_U64 | KVM_REG_RISCV_CSR | (idx))
+
+// CSR register indices in kvm_riscv_csr struct
+#define CSR_SSTATUS 0
+#define CSR_SIE 1
+#define CSR_STVEC 2
+#define CSR_SSCRATCH 3
+#define CSR_SEPC 4
+#define CSR_SCAUSE 5
+#define CSR_STVAL 6
+#define CSR_SIP 7
+#define CSR_SATP 8
+
+// CORE register indices
+#define CORE_PC 0x00
+#define CORE_RA 0x01
+#define CORE_SP 0x02
+#define CORE_GP 0x03
+#define CORE_TP 0x04
+#define CORE_T0 0x05
+#define CORE_T1 0x06
+#define CORE_T2 0x07
+#define CORE_S0 0x08
+#define CORE_S1 0x09
+#define CORE_A0 0x0a
+#define CORE_A1 0x0b
+#define CORE_A2 0x0c
+#define CORE_A3 0x0d
+#define CORE_A4 0x0e
+#define CORE_A5 0x0f
+#define CORE_A6 0x10
+#define CORE_A7 0x11
+#define CORE_S2 0x12
+#define CORE_S3 0x13
+#define CORE_S4 0x14
+#define CORE_S5 0x15
+#define CORE_S6 0x16
+#define CORE_S7 0x17
+#define CORE_S8 0x18
+#define CORE_S9 0x19
+#define CORE_S10 0x1a
+#define CORE_S11 0x1b
+#define CORE_T3 0x1c
+#define CORE_T4 0x1d
+#define CORE_T5 0x1e
+#define CORE_T6 0x1f
+#define CORE_MODE 0x20 // Privilege mode: 1=S-mode, 0=U-mode
+
+// SSTATUS register bit definitions
+#define SSTATUS_SPP (1UL << 8) // Previous privilege (0=User, 1=Supervisor)
+#define SSTATUS_SPIE (1UL << 5) // Previous interrupt enable
+#define SSTATUS_SIE (1UL << 1) // Supervisor interrupt enable
+
+// Helper function to set a register
+static inline int kvm_set_reg(int cpufd, uint64_t id, uint64_t value)
+{
+	struct kvm_one_reg reg = {
+	    .id = id,
+	    .addr = (uint64_t)&value,
+	};
+	return ioctl(cpufd, KVM_SET_ONE_REG, &reg);
+}
+
+#define CODE_START 0x80000000ULL
+
+// syz_kvm_setup_cpu$riscv64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text_riscv64, 1]])
+static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1,
+				       volatile long a2, volatile long a3)
+{
+	const int vmfd = a0;
+	const int cpufd = a1;
+	char* const host_mem = (char*)a2;
+	const struct kvm_text* const text_array_ptr = (struct kvm_text*)a3;
+
+	const uintptr_t page_size = SYZ_PAGE_SIZE;
+	const uintptr_t guest_pages = 24;
+	const uintptr_t guest_mem_size = guest_pages * page_size;
+
+	ioctl(vmfd, KVM_GET_API_VERSION, NULL);
+
+	// ---- 1. Install guest memory ----
+	for (uintptr_t i = 0; i < guest_pages; i++) {
+		struct kvm_userspace_memory_region mem = {
+		    .slot = (uint32_t)i,
+		    .flags = 0,
+		    .guest_phys_addr = CODE_START + i * page_size,
+		    .memory_size = page_size,
+		    .userspace_addr =
+			(uintptr_t)(host_mem + i * page_size),
+		};
+
+		if (ioctl(vmfd, KVM_SET_USER_MEMORY_REGION, &mem))
+			return -1;
+	}
+
+	// ---- 2. Copy guest text ----
+	const void* text = 0;
+	uintptr_t size = 0;
+
+	NONFAILING(text = text_array_ptr[0].text);
+	NONFAILING(size = text_array_ptr[0].size);
+
+	if (size > guest_mem_size)
+		size = guest_mem_size;
+
+	memcpy(host_mem, text, size);
+
+	// ---- 3. Initialize VCPU registers ----
+
+	// Set PC (program counter) to start of code
+	if (kvm_set_reg(cpufd, RISCV_CORE_REG(CORE_PC), CODE_START))
+		return -1;
+
+	// Set SP (stack pointer) at end of memory, reserving space for stack
+	uint64_t stack_top = CODE_START + guest_mem_size - page_size;
+	if (kvm_set_reg(cpufd, RISCV_CORE_REG(CORE_SP), stack_top))
+		return -1;
+
+	// Set privilege mode to S-mode (Supervisor mode)
+	if (kvm_set_reg(cpufd, RISCV_CORE_REG(CORE_MODE), 1))
+		return -1;
+
+	// Set SSTATUS CSR with SPP (previous privilege) and SPIE (previous interrupt enable)
+	uint64_t sstatus = SSTATUS_SPP | SSTATUS_SPIE;
+	if (kvm_set_reg(cpufd, RISCV_CSR_REG(CSR_SSTATUS), sstatus))
+		return -1;
+
+	// Set STVEC (exception vector address)
+	uint64_t stvec = CODE_START + page_size;
+	if (kvm_set_reg(cpufd, RISCV_CSR_REG(CSR_STVEC), stvec))
+		return -1;
+
+	return 0;
+}
+
+#endif // EXECUTOR_COMMON_KVM_RISCV64_H
diff --git a/executor/common_linux.h b/executor/common_linux.h
@@ -3216,6 +3216,8 @@ static long syz_mount_image(
 #include "common_kvm_arm64.h"
 #elif GOARCH_ppc64 || GOARCH_ppc64le
 #include "common_kvm_ppc64.h"
+#elif GOARCH_riscv64
+#include "common_kvm_riscv64.h"
 #elif SYZ_EXECUTOR || __NR_syz_kvm_setup_cpu
 static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7)
 {
diff --git a/pkg/compiler/types.go b/pkg/compiler/types.go
@@ -641,7 +641,7 @@ var typeText = &typeDesc{
 
 var typeArgTextType = &typeArg{
 	Kind:  kindIdent,
-	Names: []string{"target", "x86_real", "x86_16", "x86_32", "x86_64", "arm64", "ppc64"},
+	Names: []string{"target", "x86_real", "x86_16", "x86_32", "x86_64", "arm64", "ppc64", "riscv64"},
 }
 
 func genTextType(t *ast.Type) prog.TextKind {
@@ -660,6 +660,8 @@ func genTextType(t *ast.Type) prog.TextKind {
 		return prog.TextArm64
 	case "ppc64":
 		return prog.TextPpc64
+	case "riscv64":
+		return prog.TextTarget
 	default:
 		panic(fmt.Sprintf("unknown text type %q", t.Ident))
 	}
diff --git a/pkg/vminfo/linux_syscalls.go b/pkg/vminfo/linux_syscalls.go
@@ -196,6 +196,10 @@ func linuxSyzKvmSupported(ctx *checkContext, call *prog.Syscall) string {
 		if ctx.target.Arch == targets.PPC64LE {
 			return ""
 		}
+	case "syz_kvm_setup_cpu$riscv64":
+		if ctx.target.Arch == targets.RiscV64 {
+			return ""
+		}
 	}
 	return unsupportedArch
 }
diff --git a/sys/linux/dev_kvm.txt b/sys/linux/dev_kvm.txt
@@ -350,8 +350,17 @@ kvm_one_reg [
 	arm64_sve	kvm_one_reg_arm64_range[0x6080000000150000:0x6080000000150620]
 	arm64_sve_vls	kvm_one_reg_arm64_range[0x606000000015ffff]
 	other		kvm_one_reg_other
+# For riscv64
+	riscv64_config	kvm_one_reg_riscv64[kvm_regs_riscv64_config]
+	riscv64_core	kvm_one_reg_riscv64[kvm_regs_riscv64_core]
+	riscv64_csr	kvm_one_reg_riscv64[kvm_regs_riscv64_csr]
 ]
 
+type kvm_one_reg_riscv64[FTYPE] {
+	id	flags[FTYPE, int64]
+	addr	ptr64[inout, int64]
+}
+
 type kvm_one_reg_arm64[FTYPE] {
 	id	flags[FTYPE, int64]
 	addr	ptr64[inout, int64]
@@ -623,3 +632,8 @@ kvm_regs_arm64_sys = 0x6030000000138002, 0x6030000000138010, 0x6030000000138012,
 # Extra registers that KVM_GET_REG_LIST prints on QEMU
 kvm_regs_arm64_extra = 0x603000000013c01b, 0x603000000013c01f, 0x603000000013c022, 0x603000000013c023, 0x603000000013c025, 0x603000000013c026, 0x603000000013c027, 0x603000000013c02a, 0x603000000013c02b, 0x603000000013c02e, 0x603000000013c02f, 0x603000000013c033, 0x603000000013c034, 0x603000000013c035, 0x603000000013c036, 0x603000000013c037, 0x603000000013c03b, 0x603000000013c03c, 0x603000000013c03d, 0x603000000013c03e, 0x603000000013c03f, 0x603000000013c103, 0x603000000013c512, 0x603000000013c513
 # End of register descriptions generated by tools/arm64/registers.go
+
+# for riscv64, https://elixir.bootlin.com/linux/v6.19-rc4/source/Documentation/virt/kvm/api.rst#L2765
+kvm_regs_riscv64_config = 0x8030000000100000
+kvm_regs_riscv64_core = 0x8030000000200000, 0x8030000000200001, 0x8030000000200002, 0x8030000000200003, 0x8030000000200004, 0x8030000000200005, 0x8030000000200006, 0x8030000000200007, 0x8030000000200008, 0x8030000000200009, 0x803000000020000a, 0x803000000020000b, 0x803000000020000c, 0x803000000020000d, 0x803000000020000e, 0x803000000020000f, 0x8030000000200010, 0x8030000000200011, 0x8030000000200012, 0x8030000000200013, 0x8030000000200014, 0x8030000000200015, 0x8030000000200016, 0x8030000000200017, 0x8030000000200018, 0x8030000000200019, 0x803000000020001a, 0x803000000020001b, 0x803000000020001c, 0x803000000020001d, 0x803000000020001e, 0x803000000020001f, 0x8030000000200020
+kvm_regs_riscv64_csr = 0x8030000000300000, 0x8030000000300001, 0x8030000000300002, 0x8030000000300003, 0x8030000000300004, 0x8030000000300005, 0x8030000000300006, 0x8030000000300007, 0x8030000000300008
diff --git a/sys/linux/dev_kvm_riscv64.txt b/sys/linux/dev_kvm_riscv64.txt
@@ -12,3 +12,11 @@ ioctl$KVM_SET_GUEST_DEBUG_riscv64(fd fd_kvmcpu, cmd const[KVM_SET_GUEST_DEBUG],
 kvm_guest_debug_arch_riscv64 {
 	reg	array[int64, 8]
 }
+
+syz_kvm_setup_cpu$riscv64(fd fd_kvmvm, cpufd fd_kvmcpu, usermem vma[24], text ptr[in, array[kvm_text_riscv64, 1]])
+
+kvm_text_riscv64 {
+	type	const[0, intptr]
+	text	ptr[in, text[riscv64]]
+	size	len[text, intptr]
+}
diff --git a/sys/linux/test/syz_kvm_setup_cpu_riscv64 b/sys/linux/test/syz_kvm_setup_cpu_riscv64
@@ -0,0 +1,22 @@
+#
+# requires: arch=riscv64
+#
+
+r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0)
+r1 = ioctl$KVM_CREATE_VM(r0, AUTO, 0x0)
+r2 = ioctl$KVM_CREATE_VCPU(r1, AUTO, 0x0)
+
+# Set the register
+#   0x04200513,   li a0, 0x42      (addi a0, zero, 0x42)
+#   0x06300593,   li a1, 0x63      (addi a1, zero, 0x63)
+# Load the MMIO address to t1 (without affecting a0, a1)
+#   0x40000337,   lui t1, 0x40000 (load 20 bits high to t1)
+# Read from the MMIO address (this triggers KVM_EXIT_MMIO)
+#   0x00032683,   lw a3, 0(t1) (read from address 0x40000000 to a3)
+syz_kvm_setup_cpu$riscv64(r1, r2, &(0x7f0000fe8000/0x180000)=nil,&(0x7f0000000000)=[{0x0, &(0x7f0000001000)="13052004930530063703004083260300", 0xf}])
+
+ioctl$KVM_RUN(r2, AUTO, 0x0)
+
+ioctl$KVM_GET_ONE_REG(r2, AUTO, &AUTO=@riscv64_core={0x803000000200000a, &AUTO})
+ioctl$KVM_GET_ONE_REG(r2, AUTO, &AUTO=@riscv64_config={0x8030000001000000, &AUTO})
+ioctl$KVM_GET_ONE_REG(r2, AUTO, &AUTO=@riscv64_csr={0x8030000003000000, &AUTO})

Original file line number	Diff line number	Diff line change
`@@ -3216,6 +3216,8 @@ static long syz_mount_image(`
`3216`	`3216`	`#include "common_kvm_arm64.h"`
`3217`	`3217`	`#elif GOARCH_ppc64 \|\| GOARCH_ppc64le`
`3218`	`3218`	`#include "common_kvm_ppc64.h"`
	`3219`	`+#elif GOARCH_riscv64`
	`3220`	`+#include "common_kvm_riscv64.h"`
`3219`	`3221`	`#elif SYZ_EXECUTOR \|\| __NR_syz_kvm_setup_cpu`
`3220`	`3222`	`static volatile long syz_kvm_setup_cpu(volatile long a0, volatile long a1, volatile long a2, volatile long a3, volatile long a4, volatile long a5, volatile long a6, volatile long a7)`
`3221`	`3223`	`{`
Original file line number	Diff line number	Diff line change
`@@ -196,6 +196,10 @@ func linuxSyzKvmSupported(ctx checkContext, call prog.Syscall) string {`
`196`	`196`	`if ctx.target.Arch == targets.PPC64LE {`
`197`	`197`	`return ""`
`198`	`198`	`}`
	`199`	`+ case "syz_kvm_setup_cpu$riscv64":`
	`200`	`+ if ctx.target.Arch == targets.RiscV64 {`
	`201`	`+ return ""`
	`202`	`+ }`
`199`	`203`	`}`
`200`	`204`	`return unsupportedArch`
`201`	`205`	`}`